Investigating and responding to threats

This document provides high-level information on how to work with threat findings in Security Command Center.

Before you begin

You need adequate Identity and Access Management (IAM) roles to view or edit findings and logs, and modify Google Cloud resources. If you encounter access errors in Security Command Center, ask your administrator for assistance and see Access control to learn about roles. To resolve resource errors, read the documentation for the affected products.

Understand threat findings

Security Command Center has built-in detection services that use different techniques to detect threats in your cloud environment.

  • Event Threat Detection produces security findings by matching events in your Cloud Logging log streams to known indicators of compromise (IoC). IoCs, developed by internal Google security sources, identify potential vulnerabilities and attacks. Event Threat Detection also detects threats by identifying known adversarial tactics, techniques, and procedures in your logging stream, and by detecting deviations from past behavior of your organization or project. If you activate Security Command Center Premium tier at the organization level, Event Threat Detection can also scan your Google Workspace logs.

  • Container Threat Detection generates findings by collecting and analyzing low-level observed behavior in the guest kernel of containers.

  • Virtual Machine Threat Detection scans Compute Engine projects and virtual machine (VM) instances to detect potentially malicious applications running in VMs, such as cryptocurrency mining software and kernel-mode rootkits.

  • Cloud Run Threat Detection monitors the state of supported Cloud Run resources to detect the most common runtime attacks.

  • Sensitive Actions Service detects when actions are taken in your Google Cloud organization, folders, and projects that can be damaging to your business if they are taken by a malicious actor.

  • Anomaly Detection uses behavior signals from outside your system to detect security anomalies in your service accounts, such as potential leaked credentials.

These detection services generate findings in Security Command Center. You can also configure continuous exports to Cloud Logging.

Review investigation and response recommendations

Security Command Center offers informal guidance to help you investigate findings of suspicious activities in your Google Cloud environment from potentially malicious actors. Following the guidance can help you understand what happened during a potential attack and develop possible responses for affected resources.

The techniques that Security Command Center provides are not guaranteed to be effective against any previous, current, or future threats that you face. For information about why Security Command Center does not provide official remediation guidance for threats, see Remediating threats.

To view the investigation and response recommendations for a finding, locate the finding in the Threat findings index.

Review a finding

To review a threat finding in the Google Cloud console, follow these steps:

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

  2. If necessary, select your Google Cloud project, folder, or organization.

  3. In the Quick filters section, click an appropriate filter to display the finding that you need in the Findings query results table. For example, if you select Event Threat Detection or Container Threat Detection in the Source display name subsection, only findings from the selected service appear in the results.

    The table is populated with findings for the source you selected.

  4. To view details of a specific finding, click the finding name under Category. The finding details pane expands to display a summary of the finding's details.

  5. To view the finding's JSON definition, click the JSON tab.

Findings provide the names and numeric identifiers of resources involved in an incident, along with environment variables and asset properties. You can use that information to quickly isolate affected resources and determine the potential scope of an event.

To aid in your investigation, threat findings also contain links to the following external resources:

  • MITRE ATT&CK framework entries. The framework explains techniques for attacks against cloud resources and provides remediation guidance.

  • VirusTotal, an Alphabet-owned service that provides context on potentially malicious files, URLs, domains, and IP addresses. If available, the VirusTotal Indicator field provides a link to VirusTotal to help you further investigate potential security issues.

    VirusTotal is a separately priced offering with different usage limits and features. You are responsible for understanding and adhering to VirusTotal's API usage policies and any associated costs. For more information, see the VirusTotal documentation.

The following sections outline potential responses to threat findings.

Deactivate a threat finding

After you resolve an issue that triggered a threat finding, Security Command Center does not automatically set the state of the finding to INACTIVE. The state of a threat finding remains ACTIVE unless you manually set the state property to INACTIVE.

For a false positive, consider leaving the state of the finding as ACTIVE and instead mute the finding.

For persistent or recurring false-positives, create a mute rule. Setting a mute rule can reduce the number of findings that you need to manage, which makes it easier to identify a true threat when one occurs.

For a true threat, before you set the state of the finding to INACTIVE, eliminate the threat and complete a thorough investigation of the detected threat, the extent of the intrusion, and any other related findings and issues.

To mute a finding or change its state, see the following topics:

To help keep threats from reoccurring, review and fix related vulnerability and misconfiguration findings.

To find any related findings, follow these steps:

  1. In the Google Cloud console, go to the Security Command Center Findings page.

    Go to Findings

  2. Review the threat finding and copy the value of an attribute that is likely to appear in any related vulnerability or misconfiguration finding, such as the principal email address or the name of the affected resource.

  3. On the Findings page, open the Query editor by clicking Edit query.

  4. Click Add filter. The Select filter menu opens.

  5. From the list of filter categories on the left side of the menu, select the category that contains the attribute that you noted in the threat finding.

    For example, if you noted the full name of the affected resource, select Resource. The attribute types of the Resource category are displayed in the column to the right, including the Full name attribute.

  6. From the displayed attributes, select the type of attribute that you noted in the threat finding. A search panel for attribute values opens to the right and displays all found values of the selected attribute type.

  7. In the Filter field, paste the attribute value that you copied from the threat finding. The displayed list of values is updated to show only the values that match the pasted value.

  8. From the list of displayed values, select one or more values and click Apply. The Findings query results panel updates to show only the matching findings.

  9. If there are a lot of findings in the results, filter the findings by selecting additional filters from the Quick filters panel.

    For example, to show only the Vulnerability and Misconfiguration class findings that contain the selected attribute values, scroll down to the Finding class section of the Quick filters panel and select Vulnerability and Misconfiguration.

Remediating threats

Remediating threat findings isn't as simple as fixing misconfigurations and vulnerabilities identified by Security Command Center.

Misconfigurations and compliance violations identify weaknesses in resources that could be exploited. Typically, misconfigurations have known, easily implemented fixes, like enabling a firewall or rotating an encryption key.

Threats differ from vulnerabilities in that they are dynamic and indicate a possible active exploit against one or more resources. A remediation recommendation might not be effective in securing your resources because the exact methods used to achieve the exploit might not be known.

For example, an Added Binary Executed finding indicates that an unauthorized binary was launched in a container. A basic remediation recommendation might advise you to quarantine the container and delete the binary, but that might not resolve the underlying root cause that allowed the attacker access to execute the binary. You need to find out how the container image was corrupted to fix the exploit. Determining whether the file was added through a misconfigured port or by some other means requires a thorough investigation. An analyst with expert-level knowledge of your system might need to review it for weaknesses.

Bad actors attack resources using different techniques, so applying a fix for a specific exploit might not be effective against variations of that attack. For example, in response to a Brute Force: SSH finding, you might lower permission levels for some user accounts to limit access to resources. However, weak passwords might still provide an attack path.

The breadth of attack vectors makes it difficult to provide remediation steps that work in all situations. Security Command Center's role in your cloud security plan is to identify impacted resources in near-real time, tell you what threats you face, and provide evidence and context to aid your investigations. However, your security personnel must use the extensive information in Security Command Center findings to determine the best ways to remediate issues and secure resources against future attacks.

What's next